A recent joint cybersecurity alert published by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that a hacking group connected to the Iranian government was detected exploiting a number of vulnerabilities in cyberattacks on U.S. companies and government bureaus. The advisory closely came after the release of an identical cybersecurity advisory that hackers associated to the Chinese government were performing cyberattacks exploiting the same vulnerabilities.
The Iranian hacking group, identified as UNC757 and Pioneer Kitten, was exploiting vulnerabilities in Citrix NetScaler, F5 networking systems, and Pulse Secure VPNs to access networking systems. The hacking group has additionally been noticed to use open source software like Nmap to discover vulnerabilities, like open ports inside vulnerable systems.
There were two vulnerabilities identified in Pulse Secure products being exploited. Vulnerability CVE-2019-11510 is a file reading vulnerability that impacts Pulse Secure Connect enterprise VPN servers. Vulnerability CVE-2019-11539 is an authentication command injection vulnerability that impacts the Pulse Secure Pulse Connect Secure software program.
Vulnerability CVE-2019-19781 is a remote code execution vulnerability that impacts Citrix Gateway and Citrix SD-WAN WANOP devices. It is being exploited together with the CVE-2020-5902 remote code execution vulnerability identified in F5’s BIG-IP network solutions.
As soon as hackers gain access to networks, they get admin credentials and set up web shells like ChunkyTuna, China Chopper and Tiny for deeper entrenchment. They depend greatly on open source and OS tooling to carry out operations, for example, fast reverse proxy (FRP), Lightweight Directory Access Protocol (LDAP) directory browser, and ngrok. TightVNC and Plink are frequently employed for lateral action.
The hackers were seen utilizing a number of strategies to avert detection, for instance, hiding tasks and services, compile after delivery, software packing, and hiding files as legit files in Dynamic Link Library. The hackers were also detected cleaning up files every 30 minutes on breached NetScaler devices to minimize their footprint.
CISA believes the hackers are engaging in data theft because of the use of tools like the ChunkyTuna web shell and 7-Zip, though there is no evidence found that confirms that. The hackers are additionally identified to have accessed sensitive records on breached networks and were offering access to compromised organizations for sale on a hacking forum.
Although Pioneer Kitten has a connection to the Iranian government and helps wit the government’s interests, the hackers at the same time perform attacks for monetary gain and are alleged to have the skills to deploy ransomware on the networks of victims’ networks.
Pioneer Kitten has launched attacks on government institutions and companies in a number of different industries such as healthcare, finance, information technology, insurance, and media agencies in the USA.
Identifying and Blocking Attacks
A lot of the attacks entail taking advantage of vulnerabilities for which there are patches available, though not yet applied. Prompt patching is the best protection against cyberattacks.
Besides patching the F5, Pulse Secure, and Citrix vulnerabilities, it is essential to check to see if the vulnerabilities were already exploited.
The hacking group particularly utilize ngrok to uncover a local port to the web. This action may look like TCP port 443 links to external web-based infrastructure plus FRPC is utilized on port 7557.
CISA’s cybersecurity advisory includes some other Indicators of Compromise (IoCs) together with various mitigations that must be applied to further minimize the possibility of attacks.